Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PROD_Start_DriverPack.hta

Overview

General Information

Sample name:PROD_Start_DriverPack.hta
Analysis ID:1427884
MD5:dda846a4704efc2a03e1f8392e6f1ffc
SHA1:387171a06eee5a76aaedc3664385bb89703cf6df
SHA256:e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7360 cmdline: mshta.exe "C:\Users\user\Desktop\PROD_Start_DriverPack.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • WmiPrvSE.exe (PID: 7512 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

Timestamp:04/18/24-09:58:27.199647
SID:2831817
Source Port:80
Destination Port:49731
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking

barindex
Snort IDS alert for network traffic
Source: TrafficSnort IDS: 2831817 ETPRO CURRENT_EVENTS Likely Malicious JS Inbound 46.137.15.86:80 -> 192.168.2.4:49731
Source: global trafficHTTP traffic detected: GET /bin/step1_av.html HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/style.css HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/missing-scripts-detector.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /client_ip.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/1.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/2.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/3.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/4.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/5.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/script.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/statistics.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/lang.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/img/background.jpg HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: exampledd.matomo.cloudConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1 HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: exampledd.matomo.cloudConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 18 Apr 2024 07:58:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 101Connection: keep-aliveServer: ApacheVary: X-Forwarded-Port-Override,X-Forwarded-Proto-Override,Accept-Encoding,User-AgentContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 15 ca b1 0d 80 30 0c 04 c0 55 7e 00 c4 0e 94 14 48 14 2c 60 05 8b 58 04 1b 39 46 c0 f6 84 ee 8a 1b 2a 26 0a 3b 0c 52 a1 16 10 ad 41 a5 f0 8a 97 a3 43 64 c6 e2 94 76 d1 0d c3 3c 22 91 fe ed 74 4b dc 12 e9 8a 5b 4a 01 3f 12 4d 91 ed 0a b0 bb 79 ff 01 d2 75 8f 77 5c 00 00 00 Data Ascii: 0U~H,`X9F*&;RACdv<"tK[J?Myuw\
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 18 Apr 2024 07:58:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 101Connection: keep-aliveServer: ApacheVary: X-Forwarded-Port-Override,X-Forwarded-Proto-Override,Accept-Encoding,User-AgentContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 15 ca b1 0d 80 30 0c 04 c0 55 7e 00 c4 0e 94 14 48 14 2c 60 05 8b 58 04 1b 39 46 c0 f6 84 ee 8a 1b 2a 26 0a 3b 0c 52 a1 16 10 ad 41 a5 f0 8a 97 a3 43 64 c6 e2 94 76 d1 0d c3 3c 22 91 fe ed 74 4b dc 12 e9 8a 5b 4a 01 3f 12 4d 91 ed 0a b0 bb 79 ff 01 d2 75 8f 77 5c 00 00 00 Data Ascii: 0U~H,`X9F*&;RACdv<"tK[J?Myuw\
Source: global trafficHTTP traffic detected: GET /bin/step1_av.html HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/style.css HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/missing-scripts-detector.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /client_ip.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/1.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/2.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/3.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/4.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/5.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/script.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/statistics.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/lang.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/img/background.jpg HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: exampledd.matomo.cloudConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1 HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: exampledd.matomo.cloudConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: dwrapper-prod.herokuapp.com
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpg
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpg2
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpg94
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpgI2
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpgcal
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpgdI
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpge
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpgo
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/paywall_expert_mode.html
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/paywall_expert_mode.htmlP
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/paywall_expert_mode.htmlu
Source: mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/paywall_expert_mode.htmly
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.js
Source: mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.js(
Source: mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsC:
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsG
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsJK
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jscs.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jss
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js#
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js/html
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jsN
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jsp
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jst
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.js5.jsSE7
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.js8B
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.jsnEr
Source: mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.jsoC:
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js)7
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js/
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js_
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsate
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jso
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jssV
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.css
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.css2
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssD
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssKB
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.csshta
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssl
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssu
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js&
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js-detector.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js6
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js;
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jsk
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jssC:
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js;
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jssV
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsu
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js3H
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsI4
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsK
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsbV
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsenu
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jshttp://dwrapper-prod.herokuapp.com/bin/src/
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js94
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js?
Source: mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.jsC:
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.jsI
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js_
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.jsenu
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js/
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js97
Source: mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsC:
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsDV
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsO
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jshttp://dwrapper-prod.herokuapp.com/bin/src/
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsrtcuts
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsy4l
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp, PROD_Start_DriverPack.htaString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html)B
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html3
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html9E
Source: mshta.exe, 00000000.00000003.1714227041.000000000645C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlA
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlC:
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlHKLM
Source: mshta.exe, 00000000.00000003.1733479679.0000000006459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlb
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmletCookies
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlf
Source: mshta.exe, 00000000.00000002.2925033238.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlh
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhta
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll
Source: mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll)B
Source: mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll7B
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlo9M
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlv
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html~
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html~9
Source: mshta.exe, 00000000.00000003.1733479679.0000000006451000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html~rE
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1722413056.0000000006551000.00000004.00000020.00020000.00000000.sdmp, step1_av[1].htm.0.drString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.js&
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.js7
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsP
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsPack.hta8
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsh
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jshtmlhta#
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jshttp://dwrapper-prod.herokuapp.com/bin/src/variables/
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsng-scripts-detector.js
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.m/bin/step1_av.html
Source: mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, style[1].css.0.drString found in binary or memory: http://emojipedia-us.s3.dualstack.us-west-1.amazonaws.com/thumbs/240/apple/285/white-heavy-check-mar
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://exampledd.matomo.cloud/
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://exampledd.matomo.cloud/(
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://exampledd.matomo.cloud/F
Source: mshta.exe, 00000000.00000003.1714427884.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.drString found in binary or memory: http://exampledd.matomo.cloud/matomo.php
Source: mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280
Source: mshta.exe, 00000000.00000002.2926779689.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280
Source: mshta.exe, 00000000.00000003.1714427884.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.drString found in binary or memory: https://developer.matomo.org/api-reference/tracking-api
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comtarting...
Source: mshta.exe, 00000000.00000003.1714427884.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.drString found in binary or memory: https://my-domain.com
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my-domain.com&queuedtracking=0&apiv=1&cookie=1&bots=1z
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nel.heroku.com/reports
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nel.heroku.com/reports?ts=1713427106&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=Thizdw6FGJTo
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=ob
Source: mshta.exe, 00000000.00000003.1734242310.000000000645C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926499361.000000000569C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77J
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nel.heroku.com/reports?ts=1713427108&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=AMdLCtQBxpAf

System Summary

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\mshta.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal52.winHTA@2/16@2/2
Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRHJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\PROD_Start_DriverPack.hta"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxtrans.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ddrawex.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ddraw.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dciman32.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxtmsft.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: imgutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: mshta.exe, 00000000.00000002.2926779689.00000000063B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\SysWOW64\mshta.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Email Collection		3
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory2
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media13
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PROD_Start_DriverPack.hta0%ReversingLabs
PROD_Start_DriverPack.hta4%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
dwrapper-prod.herokuapp.com1%VirustotalBrowse
exampledd.matomo.cloud0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js2%VirustotalBrowse
http://exampledd.matomo.cloud/0%VirustotalBrowse
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlC:2%VirustotalBrowse
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js4%VirustotalBrowse
http://dwrapper-prod.herokuapp.com/bin/src/statistics.js0%VirustotalBrowse
http://dwrapper-prod.herokuapp.com/bin/src/script.js0%VirustotalBrowse
http://dwrapper-prod.herokuapp.com/client_ip.jsng-scripts-detector.js2%VirustotalBrowse
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsC:3%VirustotalBrowse
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jshttp://dwrapper-prod.herokuapp.com/bin/src/2%VirustotalBrowse
http://dwrapper-prod.herokuapp.com/bin/src/lang.jsC:3%VirustotalBrowse
http://dwrapper-prod.herokuapp.com/bin/src/style.css0%VirustotalBrowse
https://my-domain.com0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
dwrapper-prod.herokuapp.com
46.137.15.86
truetrueunknown
exampledd.matomo.cloud
3.126.133.169
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jstrueunknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jstrueunknown
http://dwrapper-prod.herokuapp.com/bin/src/script.jstrueunknown
http://dwrapper-prod.herokuapp.com/bin/src/statistics.jstrueunknown
http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1false
    		unknown
    http://dwrapper-prod.herokuapp.com/bin/src/style.csstrueunknown
    http://dwrapper-prod.herokuapp.com/client_ip.jstrue
      		unknown
      http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.htmlfalse
        		unknown
        http://dwrapper-prod.herokuapp.com/bin/src/lang.jstrue
          		unknown
          http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jstrue
            		unknown
            http://dwrapper-prod.herokuapp.com/bin/step1_av.htmltrue
              		unknown
              http://dwrapper-prod.herokuapp.com/bin/src/variables/4.jstrue
                		unknown
                http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jstrue
                  		unknown
                  http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jstrue
                    		unknown
                    http://dwrapper-prod.herokuapp.com/bin/img/background.jpgtrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://exampledd.matomo.cloud/Fmshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://dwrapper-prod.herokuapp.com/bin/src/lang.js(mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlHKLMmshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js_mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://dwrapper-prod.herokuapp.com/bin/src/script.js8Bmshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsI4mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlC:mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                  http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsatemshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js;mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsenumshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://exampledd.matomo.cloud/mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                        http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll)Bmshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsumshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://dwrapper-prod.herokuapp.com/bin/src/variables/4.jsImshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://dwrapper-prod.herokuapp.com/bin/step1_av.html)Bmshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://dwrapper-prod.herokuapp.com/bin/img/background.jpg2mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://dwrapper-prod.herokuapp.com/bin/src/script.jsnErmshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhtamshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js?mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://my-domain.commshta.exe, 00000000.00000003.1714427884.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.drfalseunknown
                                                        http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsC:mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                        http://dwrapper-prod.herokuapp.com/bin/src/lang.jsGmshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js94mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://dwrapper-prod.herokuapp.com/client_ip.jsng-scripts-detector.jsmshta.exe, 00000000.00000002.2923542831.0000000002E0E000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                            http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js/mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://dwrapper-prod.herokuapp.com/bin/step1_av.html9Emshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://dwrapper-prod.herokuapp.com/bin/src/lang.jsC:mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jshttp://dwrapper-prod.herokuapp.com/bin/src/mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                                                http://dwrapper-prod.herokuapp.com/bin/src/statistics.js)7mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://my-domain.com&queuedtracking=0&apiv=1&cookie=1&bots=1zmshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		low
                                                                    https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obmshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js/htmlmshta.exe, 00000000.00000002.2923542831.0000000002DED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://dwrapper-prod.herokuapp.com/bin/step1_av.html3mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://dwrapper-prod.herokuapp.com/bin/src/statistics.jssVmshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://exampledd.matomo.cloud/matomo.phpmshta.exe, 00000000.00000003.1714427884.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.drfalse
                                                                              		unknown
                                                                              http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js&mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAmshta.exe, 00000000.00000003.1714227041.000000000645C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://dwrapper-prod.herokuapp.com/bin/src/lang.jssmshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://dwrapper-prod.herokuapp.com/bin/step1_av.html~9mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://dwrapper-prod.herokuapp.com/bin/src/lang.jsJKmshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js-detector.jsmshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js6mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsDVmshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://dwrapper-prod.herokuapp.com/bin/src/script.jsoC:mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsbVmshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://dwrapper-prod.herokuapp.com/bin/src/script.js5.jsSE7mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280mshta.exe, 00000000.00000002.2926779689.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlbmshta.exe, 00000000.00000003.1733479679.0000000006459000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://dwrapper-prod.herokuapp.com/bin/img/background.jpg94mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://dwrapper-prod.herokuapp.com/bin/src/style.csshtamshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jsNmshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlfmshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js;mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://dwrapper-prod.herokuapp.com/client_ip.jshtmlhta#mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://dwrapper-prod.herokuapp.com/bin/src/statistics.js_mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://dwrapper-prod.herokuapp.com/bin/img/background.jpgI2mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlvmshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://dwrapper-prod.herokuapp.com/bin/src/style.cssumshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://dwrapper-prod.herokuapp.com/bin/src/style.csslmshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhmshta.exe, 00000000.00000002.2925033238.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://dwrapper-prod.herokuapp.com/bin/step1_av.htmllmshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsomshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jspmshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jssC:mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll7Bmshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://dwrapper-prod.herokuapp.com/bin/step1_av.html~mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://dwrapper-prod.herokuapp.com/client_ip.js7mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jstmshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsKmshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jskmshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://nel.heroku.com/reportsmshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://dwrapper-prod.herokuapp.com/client_ip.js&mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js3Hmshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002E0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://dwrapper-prod.herokuapp.com/bin/src/style.cssDmshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://emojipedia-us.s3.dualstack.us-west-1.amazonaws.com/thumbs/240/apple/285/white-heavy-check-marmshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, style[1].css.0.drfalse
                                                                                                                                                                		high
                                                                                                                                                                http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jssVmshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsrtcutsmshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://developer.matomo.org/api-reference/tracking-apimshta.exe, 00000000.00000003.1714427884.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsy4lmshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://dwrapper-prod.herokuapp.m/bin/step1_av.htmlmshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jshttp://dwrapper-prod.herokuapp.com/bin/src/mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://dwrapper-prod.herokuapp.com/mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://dwrapper-prod.herokuapp.com/bin/img/background.jpgcalmshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://dwrapper-prod.herokuapp.com/client_ip.jsPack.hta8mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown

                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                  Public IPs

                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                  3.126.133.169
                                                                                                                                                                                  		exampledd.matomo.cloudUnited States
                                                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                                                  46.137.15.86
                                                                                                                                                                                  		dwrapper-prod.herokuapp.comIreland
                                                                                                                                                                                  		16509AMAZON-02UStrue

                                                                                                                                                                                  General Information

                                                                                                                                                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                  Analysis ID:1427884
                                                                                                                                                                                  Start date and time:2024-04-18 09:57:32 +02:00
                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                  Overall analysis duration:0h 4m 59s
                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                  Report type:full
                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                  Number of analysed new started processes analysed:7
                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                  Technologies:
                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                  Sample name:PROD_Start_DriverPack.hta
                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                  Classification:mal52.winHTA@2/16@2/2
                                                                                                                                                                                  EGA Information:Failed
                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                                  • Number of executed functions: 30
                                                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                  • Found application associated with file extension: .hta

                                                                                                                                                                                  Warnings

                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                  • Execution Graph export aborted for target mshta.exe, PID 7360 because it is empty
                                                                                                                                                                                  • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                  Simulations

                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                  09:58:27API Interceptor1x Sleep call for process: mshta.exe modified

                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                  IPs

                                                                                                                                                                                  No context

                                                                                                                                                                                  Domains

                                                                                                                                                                                  No context

                                                                                                                                                                                  ASNs

                                                                                                                                                                                  No context

                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                  No context

                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                  No context

                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):49120
                                                                                                                                                                                  Entropy (8bit):0.0017331682157558962
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Ztt:T
                                                                                                                                                                                  MD5:0392ADA071EB68355BED625D8F9695F3
                                                                                                                                                                                  SHA1:777253141235B6C6AC92E17E297A1482E82252CC
                                                                                                                                                                                  SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
                                                                                                                                                                                  SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\matomo[1].htm

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:modified
                                                                                                                                                                                  Size (bytes):92
                                                                                                                                                                                  Entropy (8bit):4.252484278666437
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:fFSIKX2gOBFXlWPZsVSvXdAkFWJJaMpFyab:tSIKlOBFVkscGJJasf
                                                                                                                                                                                  MD5:51C8E2EC2D4A042736B88F1BE1BE5B7E
                                                                                                                                                                                  SHA1:1D0129C54851C24EF993FDED1645041F9DBDEEB0
                                                                                                                                                                                  SHA-256:481BEEA6F83C5C784276DF3BFB8693CC60C0CE8EF0A2CB8F47D624E2D6C9B076
                                                                                                                                                                                  SHA-512:E65F716422E1617E2840D0F16B04672F0F64296E57086A8ECA3FC778853D4B7DAB8173698FEA5BBC2617411CA1A8E50759A7D479614833BDF900DE0B619E32DF
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:As Matomo is not installed yet, the Tracking API cannot proceed and will exit without error.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\client_ip[1].js

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):30
                                                                                                                                                                                  Entropy (8bit):4.231401845392172
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:qYwmHMUWLrCHe:qY3HVWLrEe
                                                                                                                                                                                  MD5:237C21A7373FFF0B07DBF9F5ED125A49
                                                                                                                                                                                  SHA1:BE651F7D52FC65ED6E2ED25F5DCF32D527E3BFE1
                                                                                                                                                                                  SHA-256:7B52AF5DBF4535E927B9881ACBCF24EF89B0E80EF980862CBAEDAC91686DDFB5
                                                                                                                                                                                  SHA-512:94B28CD862AB2D29E272187B839E1DB057729D926C3C0DD46CC6ADC3065D901C60A8B1FCF307DDD62D181063E93BADEA7449FB0AE07D70D314DF1C51E68A6D85
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:var clientIp = "81.181.57.52";

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\missing-scripts-detector[1].js

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1807
                                                                                                                                                                                  Entropy (8bit):4.663040957738839
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:cuM2VgeG3RWZQericn0EG1WGDROQP/YZqpMT6BM393pfb0+4p3wdJOIC5ypfLLcD:cDcgnwfiOGWK77iiM5FI5C2ylGf
                                                                                                                                                                                  MD5:5BB70933199563BD95A85E9D58D0920B
                                                                                                                                                                                  SHA1:1E0322DD237C61A911D58D11F3A2879D78A36444
                                                                                                                                                                                  SHA-256:915A03DDD5D887CE43185A21FD9927FFCFC6E8F373D80D6FB0BFE96E65C029CD
                                                                                                                                                                                  SHA-512:7F727D6F0ABB14746B24D10E7D2A532B20BA44B0E177C4B1D778BDF8EA3AC4D8B4D644EBEC169DAA4777DFFD22B376D1DAFB0EF790815558A665922598DA24EB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.var loadedJS = [];..if (typeof loadedJS !== "undefined") { loadedJS.push("missing-scripts-detector.js"); }....function getScriptNames() {.. var scripts = document.getElementsByTagName("script");.. var names = [];.... for (var i = 0; i < scripts.length; i++) {.. var url = scripts[i].src;.. if ((url) && (url.indexOf("client_ip.js") === -1)) {.. var parts = url.split("/");.. var name = parts[parts.length - 1];.. names.push(name);.. }.. }.... return names;..}....function logMissingScripts() {.. var allJS = getScriptNames();.. var missingJS = [];.... for (var i = 0; i < allJS.length; i++) {.. var isLoaded = false;.... for (var j = 0; j < loadedJS.length; j++) {.. if (typeof loadedJS[j] === "string" && loadedJS[j] === allJS[i]) {.. isLoaded = true;.. break;.. }.. }.... if (!isLoaded) {.. missingJS.push(allJS[i]);..

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\step1_av[1].htm

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):9377
                                                                                                                                                                                  Entropy (8bit):5.787296740555329
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:aK4l7E1OvVpt62zdbfOHuPcMktm14t6dGBmQLEALL:vDXFlFL
                                                                                                                                                                                  MD5:1FAE5694001ACA3836F123E1A89AFD3D
                                                                                                                                                                                  SHA1:AF928CF191AB07D12BDA774D13B8AE9423F4122A
                                                                                                                                                                                  SHA-256:2240EF798569427F1B37E16BF630D7BD5E415F5835CA9FDF730E1F063721291B
                                                                                                                                                                                  SHA-512:C521041F321C8394274E8F61E394132B31F29143C7925635E88FC466C8AC5B0B72D2BEC7204612FFEA0A88B2FD8D8B861BD1B92F6F86FDA9BE7BC67E5B99DDB7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.<!DOCTYPE html>..<html>....<head>...<title>Launcher</title>... ->.. <meta http-equiv="X-UA-Compatible" content="IE=7">.. -->...<HTA:APPLICATION ID="dwrapper" APPLICATIONNAME="dwrapper" ICON="%windir%\System32\magnify.exe" WIDTH="700"....HEIGHT="600" CONTEXTMENU="yes" SELECTION="yes" APPLICATION="no" BORDER="none" CAPTION="no" INNERBORDER="no"....MAXIMIZEBUTTON="yes" MINIMIZEBUTTON="yes" NAVIGABLE="yes" SCROLL="no" SCROLLFLAT="no" SHOWINTASKBAR="yes"....SINGLEINSTANCE="no" SYSMENU="yes" VERSION="0.1" WINDOWSTATE="normal" />.....<link type="text/css" rel="stylesheet" href="./src/style.css" />...<script type="text/javascript" src="./src/missing-scripts-detector.js"></script>...<script type="text/javascript" src="http://dwrapper-prod.herokuapp.com/client_ip.js"></script>... ...<script type="text/javascript" src="./src/variables.js"></script>...-->...<script type="text/javascript" src="./src/variables/1.js"></script>...<script type="text/javascript" src="./src/var

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\style[1].css

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4446
                                                                                                                                                                                  Entropy (8bit):5.356367296070018
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:ff+KQOCVOvwTcBGy4e0PNmD2yTkbCFWS6VOz/TESJ7IK5JRes0Uf93IPDmQlyyPv:ff+KQHjn5PICykjVEJ7t5JRz3gKQlLff
                                                                                                                                                                                  MD5:CE40483E494B033AA4A204080ABB54DA
                                                                                                                                                                                  SHA1:DE2F905749B10491D2D0DB6A79210425E94BF5AC
                                                                                                                                                                                  SHA-256:1FC4501622BAFC4560C28442D01F708579F26AFBB88229328B2CE7E83A2D36A8
                                                                                                                                                                                  SHA-512:2ECC3BB2951435126CA161CB7A9DAFA1CF08CB8F88CD1BECB7BBBA02F025485C4F68DE517E19A9774BB0EDBE075E7ED047DF0AB13BC525AA61F8405F41809A81
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.html,..body {...height: 100%;...margin: 0;...padding: 0;...overflow-x: hidden;...overflow-y: hidden;..}..body {...overflow-y: auto;..}....body {...font-family: Calibri, 'Segoe UI', Verdana, Tahoma, Geneva, sans-serif;...font-weight: lighter;...font-size: 22px;...padding-left: 40px;...padding-right: 40px;...color: white;..}....body, p, div, span {...cursor: default; /* ....... ...... ... ...... . ...... ......... */..}..../* ...... .. ......... ...... ... .... ......... */..body, div, p {...-ms-user-select: none; /* IE . Edge */...user-select: none; /* ........... ......... */..}....a {...cursor: pointer; /* ...... . .... .... ... ...... */..}....#backgroundImage {...position: absolute;...z-index: -99999;...top: 0px;...left: 0px;...opacity: 0.1;...filter: alpha(opacity=10);...background: url('../img/background.jpg') no-repeat;...width: 5900px;...height: 5900px;..}

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1[1].js

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1798
                                                                                                                                                                                  Entropy (8bit):5.650222615572486
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:JmXoFt/3fzapY9M3hvKXKr1u3ES4LopdF622bv27jPQzLkKWyU:YYFZep1vC3EV12YsszAKWyU
                                                                                                                                                                                  MD5:B2AEEF062DB55284085A863B0FCF48A5
                                                                                                                                                                                  SHA1:8C59EAD571761CAAE34B0C2776E3EA32D19AAF48
                                                                                                                                                                                  SHA-256:C79C9F0F44CA9EF9E84346BB88C12187C3F0DDE18F6C8FA83A54D1D89CBB0CB7
                                                                                                                                                                                  SHA-512:751113322B59EB6B1BE63C0BEF65335053FE205F3836CC4FF7800A4D368DD240015F327CF1A6274FAAB1B49659D219A1DE59B633AE67DACC8CFED62BC57F3ADD
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("1.js"); }....var version = "0.14";..var buildDate = "2023/04/02"; // YYYY/MM/DD..var Reg = "HKCU\\SOFTWARE\\dwrapper\\";....try {...var WshShell = new ActiveXObject("WScript.Shell");...var WshEnv = WshShell.Environment("PROCESS");...var AppData = WshShell.SpecialFolders("AppData");...var ProgramFiles = WshShell.ExpandEnvironmentStrings("%ProgramW6432%") || WshShell.ExpandEnvironmentStrings("%ProgramFiles%");...var ProgramFilesX86 = WshShell.ExpandEnvironmentStrings("%ProgramFiles(x86)%");...var tempDir = WshShell.ExpandEnvironmentStrings("%TEMP%");...var fso = new ActiveXObject("Scripting.FileSystemObject");...var locator = new ActiveXObject("WbemScripting.SWbemLocator");...var objWMIService = locator.ConnectServer(null, "root\\cimv2");...var objShell = new ActiveXObject("Shell.Application");...document.title = document.title + " " + version;..}..catch (e) {...//......... ...... .. ....... ........

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\2[1].js

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5086
                                                                                                                                                                                  Entropy (8bit):5.422218540561902
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:Q+LHTI2QlTMWpFuh5mS2huO4KzbNgT5cN2yd6uAcq1BLYaX2Vv5I9Ffv5+T0iNDW:QSTI28TMWXu4caWT5cZIvgILZ+AkDC5
                                                                                                                                                                                  MD5:22D3D08CBEC1245327396FAA5B60725A
                                                                                                                                                                                  SHA1:71DFB22D57F73CD5390F1991B6013AB44CD7351A
                                                                                                                                                                                  SHA-256:923CBFF9E47CA64E292A8932A13ED11F9E4A488DC20775181B010231F15E3E26
                                                                                                                                                                                  SHA-512:D90B4C383077038D436B9E125240B62CFD928D24940E464A93FC88A0C76F1F1EE79E617CCCE0F41FBF1DF3D660C3764E323F02674E2F45BBA0CD31B957E09D92
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("2.js"); }....function getCurrentDirectory() {...var fso = new ActiveXObject("Scripting.FileSystemObject");...var htaPath = fso.GetAbsolutePathName(document.location.pathname);...var directory = fso.GetParentFolderName(htaPath);.....var baseUrl = document.location.href.split("/").slice(0, -1).join("/");...var htaUrl = baseUrl + "/" + fso.GetFileName(htaPath);...if (htaUrl === document.location.href) {....return baseUrl;...}...return directory;..}..var current_dir = getCurrentDirectory();........// Detect OS..var is64 = false;..if (WshShell.ExpandEnvironmentStrings("%PROCESSOR_ARCHITECTURE%") == "AMD64"...|| WshShell.ExpandEnvironmentStrings("%PROCESSOR_ARCHITEW6432%") != "%PROCESSOR_ARCHITEW6432%") {...is64 = true;..}......var OSVersion = 5;..var OSVersionSP = 0;....var colItems = objWMIService.ExecQuery("SELECT * FROM Win32_OperatingSystem", "WQL");..var enumItems = new Enumerator(colItems);..for (; !enumItems.atEnd(); enumItems.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\3[1].js

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2538
                                                                                                                                                                                  Entropy (8bit):5.676353904867985
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:YPpaPGzh7iHgZ03jZ4onR1AF3R8I/idgw6+9dSVlhHH7QpZXKxDU:BP+EgZ0TZRu/id66wVD1Y
                                                                                                                                                                                  MD5:CC9E168614A8D567352E24F970CA21E0
                                                                                                                                                                                  SHA1:623C06BB9699F5AD91C4D19199A0F3780FC76A4D
                                                                                                                                                                                  SHA-256:578820B83CD0244FFC068665C531A8C7D633F890A927A682A1708B84B7A08702
                                                                                                                                                                                  SHA-512:A98DACDE394030A590E9D31941F71B8FBA3544EDCA2F17188FA940B314E58A8139FD62CF664A3D49264C8812053F5E869ECB6700A2B2A7BDCABD3C731C224D2F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("3.js"); }....// Read registry..// ToDo: ......... ....-.....!!!..function RegRead(key) {.....key = key.replace('HKEY_LOCAL_MACHINE\\', 'HKLM\\');...key = key.replace('HKEY_CURRENT_USER\\', 'HKCU\\');.....ret = RegRead32(key);.....if ((!ret) && (key.indexOf('\\SOFTWARE\\Microsoft\\') != -1)) {....var t_key = key.replace('\\SOFTWARE\\Microsoft\\', '\\SOFTWARE\\Wow6432Node\\Microsoft\\');......ret = RegRead32(t_key);...}.....if (!ret && is64) {....ret = RegRead64(key);...}.....return ret;....}....function RegRead32(key) {...var ret = "";...try { ret = WshShell.RegRead(key); }...catch (e) { ret = ""; }...return ret;..}......function RegRead64(key) {...try {....var HKEY_LOCAL_MACHINE = 0x80000002;....var HKEY_CURRENT_USER = 0x80000001;......var context = new ActiveXObject("WbemScripting.SWbemNamedValueSet");....context.Add("__ProviderArchitecture", 64);....context.Add("__RequiredArchitecture", true);....var locator =

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\4[1].js

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1157
                                                                                                                                                                                  Entropy (8bit):5.443625546433963
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:JmrIkiNpip1BYNeupYeuHgk2x3HN5E1vIfooGUeerKeQ3No:YrMNpTnanuH/Emf+UJrKeiNo
                                                                                                                                                                                  MD5:B21247B2428E6D9F72405EB1A2F5F75C
                                                                                                                                                                                  SHA1:11C6612989710432AE9730C2C20CE7EE9F0DF609
                                                                                                                                                                                  SHA-256:9DDF298484BD63F71CFF04DD81E00913266FA8D71793E2C26F3B7B215067812C
                                                                                                                                                                                  SHA-512:D3060F786D378680DA1917F7E00878A2012C6B9C497693B0C01BECF5D896F2681E851FB4F6724710A6E9C755D988A0828DF55B0966B431A38756355B9ACD0EBB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("4.js"); }....function generateClientID() {...var generateRandomNumber = Math.floor(Math.random() * 1e16);...var getCurrentTimestamp = new Date().getTime();...return generateRandomNumber + "." + getCurrentTimestamp;..}....// .......... . ....... Client ID..if (RegExists(Reg + 'clientID')) {...window.clientID = RegRead(Reg + 'clientID');..}..else {...window.clientID = generateClientID();...RegWrite(Reg + 'clientID', window.clientID)..}......// Open url..function goToUrl(url) {...lf('goToUrl');...try {....defBrowser = RegRead("HKCU\\SOFTWARE\\Clients\\StartMenuInternet\\");....if (!defBrowser) defBrowser = RegRead("HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\");....runComm = RegRead("HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\" + defBrowser + "\\shell\\open\\command\\");....runComm = runComm.replace(/"/ig, '');....if (runComm).....WshShell.Run('"' + runComm + '" ' + '"' + url + '"', 1, false);....else.....window.o

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\5[1].js

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):557
                                                                                                                                                                                  Entropy (8bit):5.282553853799004
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:JqdCBVofmsnKA1B8lsD20X9koquJYVaXBZVz1odqnA:JmCBCf/N162auVVWVGm+A
                                                                                                                                                                                  MD5:50B3202ACF32B140238D284FD2F9CE17
                                                                                                                                                                                  SHA1:72F7DB2CB9B6D09AC1F853A365D329D83F5B6C9C
                                                                                                                                                                                  SHA-256:F173F32E6CE3B40E56CC2B41EA8F6B15555F2B38D069A39F561C40EBC4F51EDA
                                                                                                                                                                                  SHA-512:BC83DEABB31CCE7E1BFA7269360FB4ADFDA9FB7117BE455810C6B6F6BA3A0AE9875B3063B9A6CBA5B034B294252C9B24830DB31D0F2092CD0B0B2AE058F9CA86
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("5.js"); }....function addLoadEvent(func) {...var oldonload = window.onload || function () { };...if (typeof window.onload != "function") {....window.onload = func;...} else {....window.onload = function () {.....if (oldonload) {......oldonload();.....}.....func();....};...}...// ......... ......... ......... . ........ ....... ..... .., .... ........ ... ...........if (document.readyState === "complete") {....func();...}..}

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\background[1].jpg

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1400x700, components 3
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):12533
                                                                                                                                                                                  Entropy (8bit):7.054402364396009
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:1hH1IrfJwZ6jSQRLUq3jwY1m9YRi4d1daN351SvFTnzew8x5QY5S9OdFEGuy+Z:DSrfDjLu/m9Rrdc3bSv4fx55dmRVZ
                                                                                                                                                                                  MD5:127D8C7FA37B2B4DEE77ADC97AA2BCC5
                                                                                                                                                                                  SHA1:6C819AC7FB5377E466609B5155E57ACE3FF87A06
                                                                                                                                                                                  SHA-256:60FDC7731E194240FE1B586290AFD762793625A92E1BB21061B0B47628861160
                                                                                                                                                                                  SHA-512:B73AE1AAD03E391FB7C014596CF33CC2CA30DF27C6986686B4F60C922B898BC8C4379180F8FBDF2E9F6C1824621CB4A5506B3E98C5A0E82112183420BE939BB1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......JFIF.....H.H.....C...........................#.%$"."!&+7/&)4)!"0A149;>>>%.DIC<H7=>;...C...........;("(;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;........x..".....................................*.......................!1A.QaqB"2......R.....................................................!1..AQ............?....U.Q.@A`.(.(., . .....QD.P..A@A@H)......"....P..E.X@dj.....@H(.(.... ...E.A@A@A@DP.P.P..@DX(.....AH..4.#H...$F...E.X.B(... .!..E. . ...(...AP.....@...................X@@........". . . ."(., . .3.............<..(.P..@H(.(........(..AH.,....."..............AE.P....."..P.X@DhQ.@Aa............H.$"... .$".........."..QD........@H)."F.dX....(.B(..4....T...Q.5..".(. . .., . ...!...."...@A@A@AQD.."..T.........H.....y..... ...X@H...H........@Aa.Aa....... .E..........A`.(.(.(.(.).Dj$....P.P...D...........PE...............D....... .A@A`.(........... 2,.....DhQ....i.!.......!...#DQ.`.(...Dj.....H.$"..R....P....(..4.0.(.....D......X@B(...G.,#. . .24........#I......D...P.Q..XE

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\lang[1].js

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (399), with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):89189
                                                                                                                                                                                  Entropy (8bit):5.522968579633954
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:cw73iClRspQnNdwE+pyXxeq4yM6FLRDGg:cw73iCjspO/wE+pULj
                                                                                                                                                                                  MD5:3B196A2A5E0875A186EFA1A6101B775D
                                                                                                                                                                                  SHA1:9A2E605751E1F9C0C2FA0B2EE119BA4886F27B8E
                                                                                                                                                                                  SHA-256:B6EF0302FB7FE71577D6B6AFE104B4C890FC6419FB9A9C4EC359A0CC25EA8885
                                                                                                                                                                                  SHA-512:3C8136E89D08BF91852834B54FFB2B5334FCDBEDD974F134A38238A0B7B3D138504C74ABE4486936846788253D9050C750C9F8F8C082D749E03F092DF80F3E0E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("lang.js"); }....var l = {.. ru: {.. 'defender_instruction_win7_1': '1. ........ ......... ..........: <a href="#" onclick="openDefenderSettingsWin7(); return false;">......... Windows Defender</a><br>',.. 'defender_instruction_win7_2': '2. ....... .. ...... "........." . ....... ...... ....<br>',.. 'defender_instruction_win7_3': '3. . ....... "...... . ........ ......." ....... ...... . ..... "............ ...... . ...... ......... ......."<br>',.. 'defender_instruction_win7_4': '4. ....... .. ...... ".........".<br><br>',.... 'defender_instruction_win8_1': '1. ........ ......... ..........: <a href="#" onclick="openDefenderSettingsWin7(); return false;">......... Wind

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\matomo[1].htm

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):92
                                                                                                                                                                                  Entropy (8bit):4.252484278666437
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:fFSIKX2gOBFXlWPZsVSvXdAkFWJJaMpFyab:tSIKlOBFVkscGJJasf
                                                                                                                                                                                  MD5:51C8E2EC2D4A042736B88F1BE1BE5B7E
                                                                                                                                                                                  SHA1:1D0129C54851C24EF993FDED1645041F9DBDEEB0
                                                                                                                                                                                  SHA-256:481BEEA6F83C5C784276DF3BFB8693CC60C0CE8EF0A2CB8F47D624E2D6C9B076
                                                                                                                                                                                  SHA-512:E65F716422E1617E2840D0F16B04672F0F64296E57086A8ECA3FC778853D4B7DAB8173698FEA5BBC2617411CA1A8E50759A7D479614833BDF900DE0B619E32DF
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:As Matomo is not installed yet, the Tracking API cannot proceed and will exit without error.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\script[1].js

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7661
                                                                                                                                                                                  Entropy (8bit):5.704917864767306
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:Bm4eX7GFrwjpBfvtzV22aHyxnHjSC6gWWjfVJpZzsxlot21P4Z:Zqi6/vt0Un7WWjrpZzsK21QZ
                                                                                                                                                                                  MD5:5E3199E1E9AB11EF8DB27BDC821ECCDC
                                                                                                                                                                                  SHA1:D11FDA451561C08FDD68D6D8731C8C17F60DC800
                                                                                                                                                                                  SHA-256:DDF24F928593CF87E0DB0744F8456761089140766A23768D9106BB73EFBD0515
                                                                                                                                                                                  SHA-512:CD2223F7992AED63955845E5115CF217CC7F1C4418C4E58DDD42843419D023127BC4017728B245A34B4D5EE6B8EFDABBE416B987996153458328BBBF4D627718
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("script.js"); }....var windowWidth = 700;..var windowHeight = 600;..function resizeWindow() {...var screenWidth = screen.availWidth;...var screenHeight = screen.availHeight;.....var newX = (screenWidth - windowWidth) / 2;...var newY = (screenHeight - windowHeight) / 2;.....var randomNumber = Math.floor(Math.random() * 5) + 1;.....try {....window.resizeTo(windowWidth, windowHeight + randomNumber);....window.moveTo(newX, newY);...} catch (e) { }..}..if ((typeof autoResizeNoNeed != 'undefined') && (autoResizeNoNeed !== true)) {...resizeWindow();...setTimeout(resizeWindow, 1000);..}....function closeHTA() {...window.moveTo(-1000, -1000)...setTimeout(function () { window.close(); }, 1000);.....sendMatomoEvent({....trackEvent: {.....category: 'Wrapper',.....action: 'Application closed'....}...});..}..function openPageHTA(url, target) {...try {....if (target) {.....var exec = WshShell.Exec('%windir%\\system32\\mshta.exe "' + url + '"');.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\statistics[1].js

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7939
                                                                                                                                                                                  Entropy (8bit):5.5019934667444055
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:rLVRyhuoevivVLbVxev+ZTNqPsQ/VGRPu5hOj631NFlJ6WNbjSb1pxCEoqbY:GhyU2GTNMIuizc
                                                                                                                                                                                  MD5:0701E8CE6920DA0050B219769314E144
                                                                                                                                                                                  SHA1:8063C0D6CA04E74351209E957D2C8FA95E1A44A4
                                                                                                                                                                                  SHA-256:5D53ECD246441E19CD7B305749C822132476170938E5B7A673856B1FD29708BF
                                                                                                                                                                                  SHA-512:D748682D921976E19790C720603647FE2A325627AF5CAE7565F7BE8DFA894E5D9F22198170D5B237773172B09684B4BDACF06D0ED0A07734BC61205D4BD73A01
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("statistics.js"); }..../*..// ............ .. Matomo Tracking HTTP API..// https://developer.matomo.org/api-reference/tracking-api......// ... ......... ........ ...... ....... sendMatomoEvent() . .......... ...........:..sendMatomoEvent({.. title: 'Menu',.. url: 'https://example.com/menu'..});....// ........ ....... . ............. . .......... URL:..sendMatomoEvent({.. title: 'Homepage',.. url: '/home'..});....// ........ ....... . .........., ........., ...... . .........:..sendMatomoEvent({.. trackEvent: {.. category: 'User Interaction',.. action: 'Click',.. name: 'Button 1',.. value: '10'.. }..});....// ........ ....... . ................. ....... (_cvar) . ........... .... (goalId):..sendMatomoE

                                                                                                                                                                                  Static File Info

                                                                                                                                                                                  General

                                                                                                                                                                                  File type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Entropy (8bit):5.121271796929296
                                                                                                                                                                                  TrID:
                                                                                                                                                                                  • HyperText Markup Language (15004/1) 83.32%
                                                                                                                                                                                  • Text - UTF-8 encoded (3003/1) 16.68%
                                                                                                                                                                                  File name:PROD_Start_DriverPack.hta
                                                                                                                                                                                  File size:1'672 bytes
                                                                                                                                                                                  MD5:dda846a4704efc2a03e1f8392e6f1ffc
                                                                                                                                                                                  SHA1:387171a06eee5a76aaedc3664385bb89703cf6df
                                                                                                                                                                                  SHA256:e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25
                                                                                                                                                                                  SHA512:5cc5ad3fbdf083a87a65be76869bca844faa2d9be25657b45ad070531892f20d9337739590dd8995bca03ce23e9cb611129fe2f8457879b6263825d6df49da7a
                                                                                                                                                                                  SSDEEP:48:uzK1vpKljUYpuqgs1pxXzOSRByHCpmF50bxxdW6kI:qiIT3BjNOSOGmF50tKA
                                                                                                                                                                                  TLSH:34310E660D56902090372A6247FE620AEB73A5631289E752B8CC914F3F70B439E43BE8
                                                                                                                                                                                  File Content Preview:...<!DOCTYPE html>..<html>....<head>.. <title>Starting...</title>.. ->.. <meta http-equiv="X-UA-Compatible" content="IE=7">.. -->.... { IF [NOSCRIPT] } -->.. .. <noscript>.. <meta http-equiv="refresh" c

                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                  04/18/24-09:58:27.199647TCP2831817ETPRO CURRENT_EVENTS Likely Malicious JS Inbound804973146.137.15.86192.168.2.4

                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Apr 18, 2024 09:58:26.122067928 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.334738970 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.336729050 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.336942911 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.549150944 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.552829027 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.552956104 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.553014994 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.553054094 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.553090096 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.553178072 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.553178072 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.562304020 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.563466072 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.773375988 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.773485899 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.773833036 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776782990 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776825905 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776865005 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776882887 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776901960 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776937962 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776954889 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776954889 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776956081 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.777653933 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.778635979 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.983385086 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.986823082 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.986864090 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.986897945 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.986926079 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.986974001 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.988054037 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.993371964 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:26.993457079 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:26.993782043 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.199646950 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.199696064 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.199721098 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.199753046 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.199803114 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.199803114 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.201025963 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209388018 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209428072 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209465981 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209465027 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209503889 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209532022 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209532022 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209542036 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209590912 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209590912 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.212390900 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.412400007 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.412448883 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.412486076 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.412549019 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.412630081 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.424423933 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.425801039 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.425821066 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.425879955 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.427067995 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.635286093 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.635304928 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.635504007 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.635504007 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.636394024 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640280008 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640320063 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640347004 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640360117 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640368938 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640373945 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640368938 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640387058 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640402079 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640466928 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640466928 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640467882 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640467882 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.641175032 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847291946 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847312927 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847326040 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847338915 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847352028 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847363949 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847378016 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847400904 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847400904 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847495079 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854402065 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854427099 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854482889 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854482889 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854518890 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854533911 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854547024 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854559898 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854562998 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854579926 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854585886 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854604959 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854614019 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854625940 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854629040 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854641914 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854655027 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854657888 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854667902 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854677916 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854681969 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854696035 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854727983 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854748964 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854768038 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:27.962443113 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066639900 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066662073 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066670895 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066679955 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066757917 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066850901 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066935062 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066948891 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066950083 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066963911 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066975117 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066982031 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.066994905 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067002058 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067013979 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067018986 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067023039 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067039967 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067047119 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067054033 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067065954 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067069054 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067073107 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067080975 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067092896 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067091942 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067101002 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067111969 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067123890 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067131996 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067136049 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067148924 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067161083 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067167044 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067172050 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067186117 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067209959 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.067230940 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174279928 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174304962 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174314976 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174329996 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174341917 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174354076 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174365044 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174376011 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174386978 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174396992 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174407959 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174451113 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174452066 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174540997 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279303074 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279336929 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279350042 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279361010 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279372931 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279385090 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279437065 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279457092 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279464006 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279469967 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279548883 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279552937 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279552937 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279552937 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279562950 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279576063 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279587984 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279594898 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279601097 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279624939 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279789925 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279803038 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279814005 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279824972 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279831886 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279836893 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279844999 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279853106 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279856920 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279865026 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279876947 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279887915 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279892921 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279907942 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279917955 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279930115 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279942036 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279947042 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279954910 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:28.279985905 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:28.280004978 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:29.530895948 CEST4973480192.168.2.43.126.133.169
                                                                                                                                                                                  Apr 18, 2024 09:58:29.739361048 CEST80497343.126.133.169192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:29.739552021 CEST4973480192.168.2.43.126.133.169
                                                                                                                                                                                  Apr 18, 2024 09:58:29.739794970 CEST4973480192.168.2.43.126.133.169
                                                                                                                                                                                  Apr 18, 2024 09:58:29.949111938 CEST80497343.126.133.169192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:29.953696966 CEST80497343.126.133.169192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:29.953845978 CEST4973480192.168.2.43.126.133.169
                                                                                                                                                                                  Apr 18, 2024 09:58:30.139106035 CEST4973480192.168.2.43.126.133.169
                                                                                                                                                                                  Apr 18, 2024 09:58:30.351322889 CEST80497343.126.133.169192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:30.351423979 CEST4973480192.168.2.43.126.133.169
                                                                                                                                                                                  Apr 18, 2024 09:58:43.411211967 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:43.411377907 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:43.511981964 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:43.512152910 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:58.624777079 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:58.624836922 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:58:58.730715990 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:58.730768919 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:59:13.835130930 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:59:13.835258007 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:59:13.943983078 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:59:13.944053888 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:59:27.855532885 CEST804973046.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:59:27.855676889 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 09:59:28.175358057 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:59:28.175431013 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 10:00:16.054467916 CEST4973480192.168.2.43.126.133.169
                                                                                                                                                                                  Apr 18, 2024 10:00:16.054634094 CEST4973080192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 10:00:16.054809093 CEST4973180192.168.2.446.137.15.86
                                                                                                                                                                                  Apr 18, 2024 10:00:16.263122082 CEST80497343.126.133.169192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 10:00:16.263262033 CEST4973480192.168.2.43.126.133.169
                                                                                                                                                                                  Apr 18, 2024 10:00:16.264250040 CEST804973146.137.15.86192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 10:00:16.266869068 CEST804973046.137.15.86192.168.2.4

                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Apr 18, 2024 09:58:25.991645098 CEST4997453192.168.2.41.1.1.1
                                                                                                                                                                                  Apr 18, 2024 09:58:26.116246939 CEST53499741.1.1.1192.168.2.4
                                                                                                                                                                                  Apr 18, 2024 09:58:29.424001932 CEST5920953192.168.2.41.1.1.1
                                                                                                                                                                                  Apr 18, 2024 09:58:29.529798985 CEST53592091.1.1.1192.168.2.4

                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                  Apr 18, 2024 09:58:25.991645098 CEST192.168.2.41.1.1.10xa363Standard query (0)dwrapper-prod.herokuapp.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 18, 2024 09:58:29.424001932 CEST192.168.2.41.1.1.10x31faStandard query (0)exampledd.matomo.cloudA (IP address)IN (0x0001)false

                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                  Apr 18, 2024 09:58:26.116246939 CEST1.1.1.1192.168.2.40xa363No error (0)dwrapper-prod.herokuapp.com46.137.15.86A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 18, 2024 09:58:26.116246939 CEST1.1.1.1192.168.2.40xa363No error (0)dwrapper-prod.herokuapp.com54.73.53.134A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 18, 2024 09:58:26.116246939 CEST1.1.1.1192.168.2.40xa363No error (0)dwrapper-prod.herokuapp.com54.220.192.176A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 18, 2024 09:58:29.529798985 CEST1.1.1.1192.168.2.40x31faNo error (0)exampledd.matomo.cloud3.126.133.169A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 18, 2024 09:58:29.529798985 CEST1.1.1.1192.168.2.40x31faNo error (0)exampledd.matomo.cloud18.157.122.248A (IP address)IN (0x0001)false
                                                                                                                                                                                  Apr 18, 2024 09:58:29.529798985 CEST1.1.1.1192.168.2.40x31faNo error (0)exampledd.matomo.cloud18.195.235.189A (IP address)IN (0x0001)false

                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                  • dwrapper-prod.herokuapp.com
                                                                                                                                                                                    • exampledd.matomo.cloud

                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.2.44973046.137.15.86807360C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Apr 18, 2024 09:58:26.336942911 CEST328OUTGET /bin/step1_av.html HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:26.552829027 CEST896INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427106&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=Thizdw6FGJToxNZojckteEPOwZnr5X3RaJ%2F82FuaCus%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427106&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=Thizdw6FGJToxNZojckteEPOwZnr5X3RaJ%2F82FuaCus%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:26 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Last-Modified: Fri, 09 Feb 2024 10:59:33 GMT
                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                  Etag: W/"65c60595-24a1"
                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: 0
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Content-Encoding: gzip
                                                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                                                  Apr 18, 2024 09:58:26.553014994 CEST1289INData Raw: 62 34 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 5a eb 6e db c8 15 fe ad 02 7d 87 09 d1 8d 6c 20 92 ec f8 96 38 92 01 d9 56 63 a1 b6 6c 44 ca 26 5b 2c 60 50 e2 c8 66 4c 91 2a 49 39 76 8b 00 b9 6c b0 45 93 ed 76 8b 2d 50 b4 68 b6 dd 3e 40 9d 6c 2e
                                                                                                                                                                                  Data Ascii: b48Zn}l 8VclD&[,`PfL*I9vlEv-Ph>@l.}}~gds3'6$<FYWw6M3R)),g]fh^5jr)BnNB<(]|^bf
                                                                                                                                                                                  Apr 18, 2024 09:58:26.553054094 CEST1289INData Raw: e6 3d 17 2b be f7 9e 11 9f fe 23 06 68 ff 01 a1 43 c4 38 84 58 1e 5d a0 6f 08 08 ab 8e 69 4b 1a c7 df 00 2b bd bc f4 8e 81 8b 64 e0 bd f5 3f a3 bd 9e 7b 6f 10 66 6e 08 67 77 d8 bf ef 7e 0d e9 d1 38 c9 ea 39 e8 a0 e7 33 da 0a 84 be c1 37 89 58 8c
                                                                                                                                                                                  Data Ascii: =+#hC8X]oiK+d?{ofngw~8937X<_gD>m>C=q.&!CWJUIhYP2L*3,gs?^`_y}-I7!#?G##iRQ(Fn]d7BP
                                                                                                                                                                                  Apr 18, 2024 09:58:26.553090096 CEST322INData Raw: 99 10 51 21 d6 72 0e 5a 5a 61 4b 53 76 f2 53 d4 c9 c7 7d b6 6c f3 f5 ef 63 e1 67 12 c1 4d f9 a0 5b 80 a8 51 12 54 13 fd 9b ea 7f 47 8d 83 06 21 ba 3f fe 17 74 fe 90 85 0f 9d 68 7b 0e 5b d9 8c 2a 5a 67 61 05 13 2b 55 06 5c c9 cb 4e 1b 19 34 d5 05
                                                                                                                                                                                  Data Ascii: Q!rZZaKSvS}lcgM[QTG!?th{[*Zga+U\N4-\"0%V22?JRWp^^aWu5<5hdVvc mhW5rxQwJF6\;hF9o[}Y,cw@6w[Py
                                                                                                                                                                                  Apr 18, 2024 09:58:26.562304020 CEST391OUTGET /bin/src/style.css HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776782990 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427106&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=Thizdw6FGJToxNZojckteEPOwZnr5X3RaJ%2F82FuaCus%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427106&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=Thizdw6FGJToxNZojckteEPOwZnr5X3RaJ%2F82FuaCus%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:26 GMT
                                                                                                                                                                                  Content-Type: text/css
                                                                                                                                                                                  Content-Length: 4446
                                                                                                                                                                                  Last-Modified: Fri, 09 Feb 2024 10:59:33 GMT
                                                                                                                                                                                  Etag: "65c60595-115e"
                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: 0
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                                                  Data Raw: ef bb bf 68 74 6d 6c 2c 0d 0a 62 6f 64 79 20 7b 0d 0a 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 09 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 09 6f 76 65 72 66 6c 6f 77 2d 78 3a 20 68 69 64 64 65 6e 3b 0d 0a 09 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 68 69 64 64 65 6e 3b 0d 0a 7d 0d 0a 62 6f 64 79 20 7b 0d 0a 09 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 61 75 74 6f 3b 0d 0a 7d 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 61 6c 69 62 72 69 2c 20 27 53 65 67 6f 65 20 55 49 27 2c 20 56 65 72 64 61 6e 61 2c 20 54 61 68 6f 6d 61 2c 20 47 65 6e 65 76 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6c 69 67 68 74 65 72 3b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0d 0a 09 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 34 30 70 78 3b 0d 0a 09 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 34 30 70 78 3b 0d 0a 09 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 7d 0d 0a 0d 0a 62 6f 64 79 2c 20 70 2c 20 64 69 76 2c 20 73 70 61 6e 20 7b 0d 0a 09 63 75 72 73 6f 72 3a 20 64 65 66 61 75 6c 74 3b 20 2f 2a 20 d0 9e d0 b1 d1 8b d1 87 d0 bd d1 8b d0 b9 20 d0 ba d1 83 d1 80 d1 81 d0 be d1 80 20 d0 b4
                                                                                                                                                                                  Data Ascii: html,body {height: 100%;margin: 0;padding: 0;overflow-x: hidden;overflow-y: hidden;}body {overflow-y: auto;}body {font-family: Calibri, 'Segoe UI', Verdana, Tahoma, Geneva, sans-serif;font-weight: lighter;font-size: 22px;padding-left: 40px;padding-right: 40px;color: white;}body, p, div, span {cursor: default; /*
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776825905 CEST1289INData Raw: d0 bb d1 8f 20 d1 82 d0 b5 d0 ba d1 81 d1 82 d0 b0 20 d0 b8 20 d0 b4 d1 80 d1 83 d0 b3 d0 b8 d1 85 20 d1 8d d0 bb d0 b5 d0 bc d0 b5 d0 bd d1 82 d0 be d0 b2 20 2a 2f 0d 0a 7d 0d 0a 0d 0a 2f 2a 20 d0 97 d0 b0 d0 bf d1 80 d0 b5 d1 82 20 d0 bd d0 b0
                                                                                                                                                                                  Data Ascii: */}/* */body, div, p {-ms-user-select: none; /* IE Edge */user-select: none; /*
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776865005 CEST1289INData Raw: 0d 0a 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 61 6e 74 69 76 69 72 75 73 2d 69 6e 66 6f 20 73 70 61 6e 20 7b 0d 0a 09 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 7d 0d 0a 0d 0a 69 6d 67 20 7b
                                                                                                                                                                                  Data Ascii: margin-bottom: 20px;}.antivirus-info span {display: block;}img {max-width: 100%;}.content {margin-top: 20px;}ul {list-style: none;padding: 0;}h1 {text-align: center;}#download-button {
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776901960 CEST1289INData Raw: 73 65 6c 20 6c 69 20 69 6d 67 20 7b 0d 0a 09 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 0d 0a 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 31 30 70 78 3b 0d 0a 09 77 69 64 74 68 3a 20 32 30 30 70 78 3b 0d 0a 7d 0d 0a 0d 0a 23 63 61 72 6f 75 73 65 6c 2d
                                                                                                                                                                                  Data Ascii: sel li img {float: left;margin-right: 10px;width: 200px;}#carousel-dots {position: absolute;bottom: 10px;left: 0;right: 0;text-align: center;}.dot {display: inline-block;width: 10px;height: 10px;
                                                                                                                                                                                  Apr 18, 2024 09:58:26.776937962 CEST175INData Raw: 0a 7d 0d 0a 0d 0a 61 20 7b 0d 0a 09 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 7d 0d 0a 61 3a 68 6f 76 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 65 66 65 66 65 66 3b 0d 0a 7d 0d 0a 61 3a 76 69 73 69 74 65 64 20 7b 0d 0a 20 20
                                                                                                                                                                                  Data Ascii: }a {color: #ffffff;}a:hover { color: #efefef;}a:visited { color: #ffffff;}a:focus { color: #efefef;}a:active { color: #efefef;}
                                                                                                                                                                                  Apr 18, 2024 09:58:26.778635979 CEST386OUTGET /client_ip.js HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:26.993371964 CEST823INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427106&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=Thizdw6FGJToxNZojckteEPOwZnr5X3RaJ%2F82FuaCus%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427106&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=Thizdw6FGJToxNZojckteEPOwZnr5X3RaJ%2F82FuaCus%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:26 GMT
                                                                                                                                                                                  Content-Type: application/javascript
                                                                                                                                                                                  Content-Length: 30
                                                                                                                                                                                  Expires: Fri, 19 Apr 2024 07:58:26 GMT
                                                                                                                                                                                  Cache-Control: max-age=86400
                                                                                                                                                                                  Cache-Control: public, max-age=86400, immutable
                                                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                                                  Data Raw: 76 61 72 20 63 6c 69 65 6e 74 49 70 20 3d 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 3b
                                                                                                                                                                                  Data Ascii: var clientIp = "81.181.57.52";
                                                                                                                                                                                  Apr 18, 2024 09:58:26.993782043 CEST396OUTGET /bin/src/variables/2.js HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209388018 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:27 GMT
                                                                                                                                                                                  Content-Type: application/javascript
                                                                                                                                                                                  Content-Length: 5086
                                                                                                                                                                                  Last-Modified: Fri, 09 Feb 2024 10:59:33 GMT
                                                                                                                                                                                  Etag: "65c60595-13de"
                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: 0
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 32 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 67 65 74 43 75 72 72 65 6e 74 44 69 72 65 63 74 6f 72 79 28 29 20 7b 0d 0a 09 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 53 63 72 69 70 74 69 6e 67 2e 46 69 6c 65 53 79 73 74 65 6d 4f 62 6a 65 63 74 22 29 3b 0d 0a 09 76 61 72 20 68 74 61 50 61 74 68 20 3d 20 66 73 6f 2e 47 65 74 41 62 73 6f 6c 75 74 65 50 61 74 68 4e 61 6d 65 28 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 29 3b 0d 0a 09 76 61 72 20 64 69 72 65 63 74 6f 72 79 20 3d 20 66 73 6f 2e 47 65 74 50 61 72 65 6e 74 46 6f 6c 64 65 72 4e 61 6d 65 28 68 74 61 50 61 74 68 29 3b 0d 0a 0d 0a 09 76 61 72 20 62 61 73 65 55 72 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 70 6c 69 74 28 22 2f 22 29 2e 73 6c 69 63 65 28 30 2c 20 2d 31 29 2e 6a 6f 69 6e 28 22 2f 22 29 3b 0d 0a 09 76 61 72 20 68 74 61 55 72 6c 20 3d 20 62 61 73 65 55 72 6c 20 2b 20 22 2f 22 20 2b 20 66 73
                                                                                                                                                                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("2.js"); }function getCurrentDirectory() {var fso = new ActiveXObject("Scripting.FileSystemObject");var htaPath = fso.GetAbsolutePathName(document.location.pathname);var directory = fso.GetParentFolderName(htaPath);var baseUrl = document.location.href.split("/").slice(0, -1).join("/");var htaUrl = baseUrl + "/" + fs
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209428072 CEST1289INData Raw: 6f 2e 47 65 74 46 69 6c 65 4e 61 6d 65 28 68 74 61 50 61 74 68 29 3b 0d 0a 09 69 66 20 28 68 74 61 55 72 6c 20 3d 3d 3d 20 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 20 7b 0d 0a 09 09 72 65 74 75 72 6e 20 62 61 73 65 55
                                                                                                                                                                                  Data Ascii: o.GetFileName(htaPath);if (htaUrl === document.location.href) {return baseUrl;}return directory;}var current_dir = getCurrentDirectory();// Detect OSvar is64 = false;if (WshShell.ExpandEnvironmentStrings("%PROCESSO
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209465981 CEST1289INData Raw: 63 6b 22 29 20 21 3d 20 22 2d 31 22 29 20 7b 0d 0a 09 09 4f 53 53 65 72 76 69 63 65 50 61 63 6b 20 3d 20 4f 53 53 65 72 76 69 63 65 50 61 63 6b 2e 72 65 70 6c 61 63 65 28 2f 53 65 72 76 69 63 65 20 50 61 63 6b 20 2f 69 2c 20 22 22 29 2e 72 65 70
                                                                                                                                                                                  Data Ascii: ck") != "-1") {OSServicePack = OSServicePack.replace(/Service Pack /i, "").replace('null', '').replace('undefined', '');OSVersionSP = parseInt(OSServicePack);}}catch (e) { }//ServicePack//IE versionfunction getIntern
                                                                                                                                                                                  Apr 18, 2024 09:58:27.209503889 CEST1289INData Raw: 72 73 20 3d 20 39 3b 20 7d 0d 0a 09 7d 0d 0a 7d 20 63 61 74 63 68 20 28 65 29 20 7b 20 49 45 52 65 61 6c 56 65 72 73 20 3d 20 39 3b 20 7d 0d 0a 2f 2f 46 69 78 20 66 6f 72 20 49 45 31 30 0d 0a 0d 0a 69 66 20 28 49 45 56 65 72 73 20 3d 3d 20 30 29
                                                                                                                                                                                  Data Ascii: rs = 9; }}} catch (e) { IERealVers = 9; }//Fix for IE10if (IEVers == 0) { IEVers = IERealVers; }//alert('IEVers: '+IEVers+' IERealVers: '+IERealVers);//IE version//JavaScript versionvar JSVersion = ScriptEngine() + " " +
                                                                                                                                                                                  Apr 18, 2024 09:58:27.212390900 CEST396OUTGET /bin/src/variables/4.js HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:27.425801039 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:27 GMT
                                                                                                                                                                                  Content-Type: application/javascript
                                                                                                                                                                                  Content-Length: 1157
                                                                                                                                                                                  Last-Modified: Fri, 09 Feb 2024 10:59:33 GMT
                                                                                                                                                                                  Etag: "65c60595-485"
                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: 0
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 34 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 67 65 6e 65 72 61 74 65 43 6c 69 65 6e 74 49 44 28 29 20 7b 0d 0a 09 76 61 72 20 67 65 6e 65 72 61 74 65 52 61 6e 64 6f 6d 4e 75 6d 62 65 72 20 3d 20 4d 61 74 68 2e 66 6c 6f 6f 72 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 20 2a 20 31 65 31 36 29 3b 0d 0a 09 76 61 72 20 67 65 74 43 75 72 72 65 6e 74 54 69 6d 65 73 74 61 6d 70 20 3d 20 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 3b 0d 0a 09 72 65 74 75 72 6e 20 67 65 6e 65 72 61 74 65 52 61 6e 64 6f 6d 4e 75 6d 62 65 72 20 2b 20 22 2e 22 20 2b 20 67 65 74 43 75 72 72 65 6e 74 54 69 6d 65 73 74 61 6d 70 3b 0d 0a 7d 0d 0a 0d 0a 2f 2f 20 d0 93 d0 b5 d0 bd d0 b5 d1 80 d0 b8 d1 80 d1 83 d0 b5 d0 bc 20 d0 b8 20 d0 b2 d1 8b d0 b2 d0 be d0 b4 d0 b8 d0 bc 20 43 6c 69 65 6e 74 20 49 44 0d 0a 69 66 20 28 52 65 67 45 78 69 73 74 73 28 52 65 67 20 2b 20 27 63 6c 69 65 6e 74 49 44 27 29 29 20 7b 0d 0a 09 77 69 6e 64 6f 77 2e 63 6c 69 65 6e 74 49 44 20 3d 20 52 65 67 52 65 61 64 28 52
                                                                                                                                                                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("4.js"); }function generateClientID() {var generateRandomNumber = Math.floor(Math.random() * 1e16);var getCurrentTimestamp = new Date().getTime();return generateRandomNumber + "." + getCurrentTimestamp;}// Client IDif (RegExists(Reg + 'clientID')) {window.clientID = RegRead(R
                                                                                                                                                                                  Apr 18, 2024 09:58:27.427067995 CEST391OUTGET /bin/src/script.js HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:27.640280008 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:27 GMT
                                                                                                                                                                                  Content-Type: application/javascript
                                                                                                                                                                                  Content-Length: 7661
                                                                                                                                                                                  Last-Modified: Fri, 09 Feb 2024 10:59:33 GMT
                                                                                                                                                                                  Etag: "65c60595-1ded"
                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: 0
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 73 63 72 69 70 74 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 76 61 72 20 77 69 6e 64 6f 77 57 69 64 74 68 20 3d 20 37 30 30 3b 0d 0a 76 61 72 20 77 69 6e 64 6f 77 48 65 69 67 68 74 20 3d 20 36 30 30 3b 0d 0a 66 75 6e 63 74 69 6f 6e 20 72 65 73 69 7a 65 57 69 6e 64 6f 77 28 29 20 7b 0d 0a 09 76 61 72 20 73 63 72 65 65 6e 57 69 64 74 68 20 3d 20 73 63 72 65 65 6e 2e 61 76 61 69 6c 57 69 64 74 68 3b 0d 0a 09 76 61 72 20 73 63 72 65 65 6e 48 65 69 67 68 74 20 3d 20 73 63 72 65 65 6e 2e 61 76 61 69 6c 48 65 69 67 68 74 3b 0d 0a 0d 0a 09 76 61 72 20 6e 65 77 58 20 3d 20 28 73 63 72 65 65 6e 57 69 64 74 68 20 2d 20 77 69 6e 64 6f 77 57 69 64 74 68 29 20 2f 20 32 3b 0d 0a 09 76 61 72 20 6e 65 77 59 20 3d 20 28 73 63 72 65 65 6e 48 65 69 67 68 74 20 2d 20 77 69 6e 64 6f 77 48 65 69 67 68 74 29 20 2f 20 32 3b 0d 0a 0d 0a 09 76 61 72 20 72 61 6e 64 6f 6d 4e 75 6d 62 65 72 20 3d 20 4d 61 74 68 2e 66 6c 6f 6f 72 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 20 2a 20 35 29 20 2b 20 31 3b 0d 0a 0d 0a 09 74 72 79 20 7b 0d
                                                                                                                                                                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("script.js"); }var windowWidth = 700;var windowHeight = 600;function resizeWindow() {var screenWidth = screen.availWidth;var screenHeight = screen.availHeight;var newX = (screenWidth - windowWidth) / 2;var newY = (screenHeight - windowHeight) / 2;var randomNumber = Math.floor(Math.random() * 5) + 1;try {
                                                                                                                                                                                  Apr 18, 2024 09:58:27.641175032 CEST389OUTGET /bin/src/lang.js HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:27.854402065 CEST897INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:27 GMT
                                                                                                                                                                                  Content-Type: application/javascript
                                                                                                                                                                                  Content-Length: 89189
                                                                                                                                                                                  Last-Modified: Fri, 09 Feb 2024 10:59:33 GMT
                                                                                                                                                                                  Etag: "65c60595-15c65"
                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: 0
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Via: 1.1 vegur


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  1192.168.2.44973146.137.15.86807360C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Apr 18, 2024 09:58:26.773833036 CEST409OUTGET /bin/src/missing-scripts-detector.js HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:26.986823082 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427106&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=Thizdw6FGJToxNZojckteEPOwZnr5X3RaJ%2F82FuaCus%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427106&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=Thizdw6FGJToxNZojckteEPOwZnr5X3RaJ%2F82FuaCus%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:26 GMT
                                                                                                                                                                                  Content-Type: application/javascript
                                                                                                                                                                                  Content-Length: 1807
                                                                                                                                                                                  Last-Modified: Fri, 09 Feb 2024 10:59:33 GMT
                                                                                                                                                                                  Etag: "65c60595-70f"
                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: 0
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                                                  Data Raw: ef bb bf 76 61 72 20 6c 6f 61 64 65 64 4a 53 20 3d 20 5b 5d 3b 0d 0a 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 6d 69 73 73 69 6e 67 2d 73 63 72 69 70 74 73 2d 64 65 74 65 63 74 6f 72 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 67 65 74 53 63 72 69 70 74 4e 61 6d 65 73 28 29 20 7b 0d 0a 20 20 20 20 76 61 72 20 73 63 72 69 70 74 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 3b 0d 0a 20 20 20 20 76 61 72 20 6e 61 6d 65 73 20 3d 20 5b 5d 3b 0d 0a 0d 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 73 63 72 69 70 74 73 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 73 63 72 69 70 74 73 5b 69 5d 2e 73 72 63 3b 0d 0a 20 20 20 20 20 20 20 20 69 66 20 28 28 75 72 6c 29 20 26 26 20 28 75 72 6c 2e 69 6e 64 65 78 4f 66 28 22 63 6c 69 65 6e 74 5f 69 70 2e 6a 73 22 29 20 3d 3d 3d 20 2d 31 29 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 70 61 72 74 73
                                                                                                                                                                                  Data Ascii: var loadedJS = [];if (typeof loadedJS !== "undefined") { loadedJS.push("missing-scripts-detector.js"); }function getScriptNames() { var scripts = document.getElementsByTagName("script"); var names = []; for (var i = 0; i < scripts.length; i++) { var url = scripts[i].src; if ((url) && (url.indexOf("client_ip.js") === -1)) { var parts
                                                                                                                                                                                  Apr 18, 2024 09:58:26.986864090 CEST1289INData Raw: 20 3d 20 75 72 6c 2e 73 70 6c 69 74 28 22 2f 22 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6e 61 6d 65 20 3d 20 70 61 72 74 73 5b 70 61 72 74 73 2e 6c 65 6e 67 74 68 20 2d 20 31 5d 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6e
                                                                                                                                                                                  Data Ascii: = url.split("/"); var name = parts[parts.length - 1]; names.push(name); } } return names;}function logMissingScripts() { var allJS = getScriptNames(); var missingJS = []; f
                                                                                                                                                                                  Apr 18, 2024 09:58:26.986897945 CEST127INData Raw: 27 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 61 63 74 69 6f 6e 3a 20 27 d0 92 d1 81 d0 b5 20 d1 81 d0 ba d1 80 d0 b8 d0 bf d1 82 d1 8b 20 d1 83 d1 81 d0 bf d0 b5 d1 88 d0 bd d0 be 20 d0 b7 d0 b0 d0 b3 d1 80 d1 83 d0 b7 d0 b8 d0 bb
                                                                                                                                                                                  Data Ascii: ', action: ' ' } }); }}
                                                                                                                                                                                  Apr 18, 2024 09:58:26.988054037 CEST396OUTGET /bin/src/variables/1.js HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:27.199646950 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:27 GMT
                                                                                                                                                                                  Content-Type: application/javascript
                                                                                                                                                                                  Content-Length: 1798
                                                                                                                                                                                  Last-Modified: Fri, 09 Feb 2024 10:59:33 GMT
                                                                                                                                                                                  Etag: "65c60595-706"
                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: 0
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 31 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 76 61 72 20 76 65 72 73 69 6f 6e 20 3d 20 22 30 2e 31 34 22 3b 0d 0a 76 61 72 20 62 75 69 6c 64 44 61 74 65 20 3d 20 22 32 30 32 33 2f 30 34 2f 30 32 22 3b 20 2f 2f 20 59 59 59 59 2f 4d 4d 2f 44 44 0d 0a 76 61 72 20 52 65 67 20 3d 20 22 48 4b 43 55 5c 5c 53 4f 46 54 57 41 52 45 5c 5c 64 77 72 61 70 70 65 72 5c 5c 22 3b 0d 0a 0d 0a 74 72 79 20 7b 0d 0a 09 76 61 72 20 57 73 68 53 68 65 6c 6c 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 3b 0d 0a 09 76 61 72 20 57 73 68 45 6e 76 20 3d 20 57 73 68 53 68 65 6c 6c 2e 45 6e 76 69 72 6f 6e 6d 65 6e 74 28 22 50 52 4f 43 45 53 53 22 29 3b 0d 0a 09 76 61 72 20 41 70 70 44 61 74 61 20 3d 20 57 73 68 53 68 65 6c 6c 2e 53 70 65 63 69 61 6c 46 6f 6c 64 65 72 73 28 22 41 70 70 44 61 74 61 22 29 3b 0d 0a 09 76 61 72 20 50 72 6f 67 72 61 6d 46 69 6c 65 73 20 3d 20 57 73 68 53 68 65 6c 6c 2e 45 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28
                                                                                                                                                                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("1.js"); }var version = "0.14";var buildDate = "2023/04/02"; // YYYY/MM/DDvar Reg = "HKCU\\SOFTWARE\\dwrapper\\";try {var WshShell = new ActiveXObject("WScript.Shell");var WshEnv = WshShell.Environment("PROCESS");var AppData = WshShell.SpecialFolders("AppData");var ProgramFiles = WshShell.ExpandEnvironmentStrings(
                                                                                                                                                                                  Apr 18, 2024 09:58:27.199696064 CEST1289INData Raw: 22 25 50 72 6f 67 72 61 6d 57 36 34 33 32 25 22 29 20 7c 7c 20 57 73 68 53 68 65 6c 6c 2e 45 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 50 72 6f 67 72 61 6d 46 69 6c 65 73 25 22 29 3b 0d 0a 09 76 61 72 20 50 72
                                                                                                                                                                                  Data Ascii: "%ProgramW6432%") || WshShell.ExpandEnvironmentStrings("%ProgramFiles%");var ProgramFilesX86 = WshShell.ExpandEnvironmentStrings("%ProgramFiles(x86)%");var tempDir = WshShell.ExpandEnvironmentStrings("%TEMP%");var fso = new ActiveXObj
                                                                                                                                                                                  Apr 18, 2024 09:58:27.199753046 CEST114INData Raw: 2f 20 32 3b 0d 0a 0d 0a 09 09 77 69 6e 64 6f 77 2e 72 65 73 69 7a 65 54 6f 28 77 69 6e 64 6f 77 57 69 64 74 68 2c 20 77 69 6e 64 6f 77 48 65 69 67 68 74 29 3b 0d 0a 09 09 77 69 6e 64 6f 77 2e 6d 6f 76 65 54 6f 28 6e 65 77 58 2c 20 6e 65 77 59 29
                                                                                                                                                                                  Data Ascii: / 2;window.resizeTo(windowWidth, windowHeight);window.moveTo(newX, newY);} catch (err) { }})();*/
                                                                                                                                                                                  Apr 18, 2024 09:58:27.201025963 CEST396OUTGET /bin/src/variables/3.js HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:27.412400007 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:27 GMT
                                                                                                                                                                                  Content-Type: application/javascript
                                                                                                                                                                                  Content-Length: 2538
                                                                                                                                                                                  Last-Modified: Fri, 09 Feb 2024 10:59:33 GMT
                                                                                                                                                                                  Etag: "65c60595-9ea"
                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: 0
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 33 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 2f 2f 20 52 65 61 64 20 72 65 67 69 73 74 72 79 0d 0a 2f 2f 20 54 6f 44 6f 3a 20 d0 9f d1 80 d0 b8 d0 b4 d1 83 d0 bc d0 b0 d1 82 d1 8c 20 d0 b0 d0 b2 d1 82 d0 be 2d d1 82 d0 b5 d1 81 d1 82 d1 8b 21 21 21 0d 0a 66 75 6e 63 74 69 6f 6e 20 52 65 67 52 65 61 64 28 6b 65 79 29 20 7b 0d 0a 0d 0a 09 6b 65 79 20 3d 20 6b 65 79 2e 72 65 70 6c 61 63 65 28 27 48 4b 45 59 5f 4c 4f 43 41 4c 5f 4d 41 43 48 49 4e 45 5c 5c 27 2c 20 27 48 4b 4c 4d 5c 5c 27 29 3b 0d 0a 09 6b 65 79 20 3d 20 6b 65 79 2e 72 65 70 6c 61 63 65 28 27 48 4b 45 59 5f 43 55 52 52 45 4e 54 5f 55 53 45 52 5c 5c 27 2c 20 27 48 4b 43 55 5c 5c 27 29 3b 0d 0a 0d 0a 09 72 65 74 20 3d 20 52 65 67 52 65 61 64 33 32 28 6b 65 79 29 3b 0d 0a 0d 0a 09 69 66 20 28 28 21 72 65 74 29 20 26 26 20 28 6b 65 79 2e 69 6e 64 65 78 4f 66 28 27 5c 5c 53 4f 46 54 57 41 52 45 5c 5c 4d 69 63 72 6f 73 6f 66 74 5c 5c 27 29 20 21 3d 20 2d 31 29 29 20 7b 0d 0a 09 09 76 61 72 20 74 5f 6b 65 79 20 3d 20 6b 65 79 2e 72 65 70 6c 61 63 65
                                                                                                                                                                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("3.js"); }// Read registry// ToDo: -!!!function RegRead(key) {key = key.replace('HKEY_LOCAL_MACHINE\\', 'HKLM\\');key = key.replace('HKEY_CURRENT_USER\\', 'HKCU\\');ret = RegRead32(key);if ((!ret) && (key.indexOf('\\SOFTWARE\\Microsoft\\') != -1)) {var t_key = key.replace
                                                                                                                                                                                  Apr 18, 2024 09:58:27.412448883 CEST1289INData Raw: 28 27 5c 5c 53 4f 46 54 57 41 52 45 5c 5c 4d 69 63 72 6f 73 6f 66 74 5c 5c 27 2c 20 27 5c 5c 53 4f 46 54 57 41 52 45 5c 5c 57 6f 77 36 34 33 32 4e 6f 64 65 5c 5c 4d 69 63 72 6f 73 6f 66 74 5c 5c 27 29 3b 0d 0a 0d 0a 09 09 72 65 74 20 3d 20 52 65
                                                                                                                                                                                  Data Ascii: ('\\SOFTWARE\\Microsoft\\', '\\SOFTWARE\\Wow6432Node\\Microsoft\\');ret = RegRead32(t_key);}if (!ret && is64) {ret = RegRead64(key);}return ret;}function RegRead32(key) {var ret = "";try { ret = WshShell
                                                                                                                                                                                  Apr 18, 2024 09:58:27.412486076 CEST854INData Raw: 74 50 61 72 61 6d 65 74 65 72 73 2e 73 56 61 6c 75 65 29 3b 0d 0a 0d 0a 09 09 72 65 74 75 72 6e 20 6f 75 74 50 61 72 61 6d 65 74 65 72 73 2e 73 56 61 6c 75 65 3b 0d 0a 09 7d 20 63 61 74 63 68 20 28 65 72 72 6f 72 29 20 7b 0d 0a 09 09 73 65 6e 64
                                                                                                                                                                                  Data Ascii: tParameters.sValue);return outParameters.sValue;} catch (error) {sendMatomoEvent({trackEvent: {category: 'Wrapper / Antivirus blocks',action: ' RegRe
                                                                                                                                                                                  Apr 18, 2024 09:58:27.424423933 CEST396OUTGET /bin/src/variables/5.js HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:27.635286093 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:27 GMT
                                                                                                                                                                                  Content-Type: application/javascript
                                                                                                                                                                                  Content-Length: 557
                                                                                                                                                                                  Last-Modified: Fri, 09 Feb 2024 10:59:33 GMT
                                                                                                                                                                                  Etag: "65c60595-22d"
                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: 0
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 35 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 61 64 64 4c 6f 61 64 45 76 65 6e 74 28 66 75 6e 63 29 20 7b 0d 0a 09 76 61 72 20 6f 6c 64 6f 6e 6c 6f 61 64 20 3d 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 7c 7c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 20 7d 3b 0d 0a 09 69 66 20 28 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 21 3d 20 22 66 75 6e 63 74 69 6f 6e 22 29 20 7b 0d 0a 09 09 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 3b 0d 0a 09 7d 20 65 6c 73 65 20 7b 0d 0a 09 09 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 09 09 09 69 66 20 28 6f 6c 64 6f 6e 6c 6f 61 64 29 20 7b 0d 0a 09 09 09 09 6f 6c 64 6f 6e 6c 6f 61 64 28 29 3b 0d 0a 09 09 09 7d 0d 0a 09 09 09 66 75 6e 63 28 29 3b 0d 0a 09 09 7d 3b 0d 0a 09 7d 0d 0a 09 2f 2f 20 d0 9f d1 80 d0 be d0 b2 d0 b5 d1 80 d1 8f d0 b5 d0 bc 20 d1 81 d0 be d1 81 d1 82 d0 be d1 8f d0 bd d0 b8 d0 b5 20 d0 b4 d0 be d0 ba d1 83 d0 bc d0 b5 d0 bd d1 82 d0 b0 20 d0 b8
                                                                                                                                                                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("5.js"); }function addLoadEvent(func) {var oldonload = window.onload || function () { };if (typeof window.onload != "function") {window.onload = func;} else {window.onload = function () {if (oldonload) {oldonload();}func();};}//
                                                                                                                                                                                  Apr 18, 2024 09:58:27.635304928 CEST161INData Raw: 20 d0 b2 d1 8b d0 b7 d1 8b d0 b2 d0 b0 d0 b5 d0 bc 20 d1 84 d1 83 d0 bd d0 ba d1 86 d0 b8 d1 8e 20 d1 81 d1 80 d0 b0 d0 b7 d1 83 20 d0 b6 d0 b5 2c 20 d0 b5 d1 81 d0 bb d0 b8 20 d0 b4 d0 be d0 ba d1 83 d0 bc d0 b5 d0 bd d1 82 20 d1 83 d0 b6 d0 b5
                                                                                                                                                                                  Data Ascii: , if (document.readyState === "complete") {func();}}
                                                                                                                                                                                  Apr 18, 2024 09:58:27.636394024 CEST395OUTGET /bin/src/statistics.js HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847291946 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77JuYR3p40X2sOEPEIl2DNMpIltmYd7RWY%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:27 GMT
                                                                                                                                                                                  Content-Type: application/javascript
                                                                                                                                                                                  Content-Length: 7939
                                                                                                                                                                                  Last-Modified: Fri, 09 Feb 2024 10:59:33 GMT
                                                                                                                                                                                  Etag: "65c60595-1f03"
                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: 0
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 73 74 61 74 69 73 74 69 63 73 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 2f 2a 0d 0a 2f 2f 20 d0 94 d0 be d0 ba d1 83 d0 bc d0 b5 d0 bd d1 82 d0 b0 d1 86 d0 b8 d1 8f 20 d0 bf d0 be 20 4d 61 74 6f 6d 6f 20 54 72 61 63 6b 69 6e 67 20 48 54 54 50 20 41 50 49 0d 0a 2f 2f 20 68 74 74 70 73 3a 2f 2f 64 65 76 65 6c 6f 70 65 72 2e 6d 61 74 6f 6d 6f 2e 6f 72 67 2f 61 70 69 2d 72 65 66 65 72 65 6e 63 65 2f 74 72 61 63 6b 69 6e 67 2d 61 70 69 0d 0a 0d 0a 0d 0a 2f 2f 20 d0 92 d0 be d1 82 20 d0 bd d0 b5 d1 81 d0 ba d0 be d0 bb d1 8c d0 ba d0 be 20 d0 bf d1 80 d0 b8 d0 bc d0 b5 d1 80 d0 be d0 b2 20 d0 b2 d1 8b d0 b7 d0 be d0 b2 d0 b0 20 d1 84 d1 83 d0 bd d0 ba d1 86 d0 b8 d0 b8 20 73 65 6e 64 4d 61 74 6f 6d 6f 45 76 65 6e 74 28 29 20 d1 81 20 d1 80 d0 b0 d0 b7 d0 bb d0 b8 d1 87 d0 bd d1 8b d0 bc d0 b8 20 d0 bf d0 b0 d1 80 d0 b0 d0 bc d0 b5 d1 82 d1 80 d0 b0 d0 bc d0 b8 3a 0d 0a 73 65 6e 64 4d 61 74 6f 6d 6f 45 76 65 6e 74 28 7b 0d 0a 20 20 74 69 74 6c 65 3a 20 27 4d 65 6e 75 27 2c 0d 0a 20 20 75 72 6c 3a 20 27 68 74
                                                                                                                                                                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("statistics.js"); }/*// Matomo Tracking HTTP API// https://developer.matomo.org/api-reference/tracking-api// sendMatomoEvent() :sendMatomoEvent({ title: 'Menu', url: 'ht
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847312927 CEST1289INData Raw: 74 70 73 3a 2f 2f 65 78 61 6d 70 6c 65 2e 63 6f 6d 2f 6d 65 6e 75 27 0d 0a 7d 29 3b 0d 0a 0d 0a 2f 2f 20 d0 9e d1 82 d0 bf d1 80 d0 b0 d0 b2 d0 ba d0 b0 20 d1 81 d0 be d0 b1 d1 8b d1 82 d0 b8 d1 8f 20 d1 81 20 d0 be d1 82 d0 bd d0 be d1 81 d0 b8
                                                                                                                                                                                  Data Ascii: tps://example.com/menu'});// URL:sendMatomoEvent({ title: 'Homepage', url: '/home'});//
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847326040 CEST1289INData Raw: 20 d0 b4 d0 b5 d0 b9 d1 81 d1 82 d0 b2 d0 b8 d0 b5 d0 bc 20 22 43 6c 69 63 6b 22 20 d0 b2 d0 bc d0 b5 d1 81 d1 82 d0 b5 20 d1 81 20 d0 b4 d0 be d0 bf d0 be d0 bb d0 bd d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d1 8b d0 bc d0 b8 20 d0 bf d0 b0 d1 80 d0
                                                                                                                                                                                  Data Ascii: "Click" dimension1 dimension2.sendMatomoEvent({ eventData: { eventCategory: 'Button', eventAction: 'Click' }, dimensions: {
                                                                                                                                                                                  Apr 18, 2024 09:58:27.847338915 CEST1289INData Raw: 20 d0 b4 d0 bb d1 8f 20 d0 be d1 82 d0 bf d1 80 d0 b0 d0 b2 d0 ba d0 b8 20 d0 b7 d0 b0 d0 bf d1 80 d0 be d1 81 d0 b0 0d 0a 20 20 70 69 78 65 6c 2e 73 72 63 20 3d 20 6d 61 74 6f 6d 6f 53 65 74 74 69 6e 67 73 2e 6d 61 74 6f 6d 6f 55 72 6c 20 2b 20
                                                                                                                                                                                  Data Ascii: pixel.src = matomoSettings.matomoUrl + '?' + params; pixel.style.cssText = 'position: absolute; width: 1px; height: 1px; left: -1000px; top: -1000px;'; addLoadEvent(function () { document
                                                                                                                                                                                  Apr 18, 2024 09:58:27.962443113 CEST396OUTGET /bin/img/background.jpg HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: dwrapper-prod.herokuapp.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:28.174279928 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                                  Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1713427108&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=AMdLCtQBxpAfyp1fKpqF5%2FXanxFhLvXE7C%2BcPgS4TPU%3D"}]}
                                                                                                                                                                                  Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1713427108&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=AMdLCtQBxpAfyp1fKpqF5%2FXanxFhLvXE7C%2BcPgS4TPU%3D
                                                                                                                                                                                  Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:28 GMT
                                                                                                                                                                                  Content-Type: image/jpeg
                                                                                                                                                                                  Content-Length: 12533
                                                                                                                                                                                  Last-Modified: Fri, 09 Feb 2024 10:59:33 GMT
                                                                                                                                                                                  Etag: "65c60595-30f5"
                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: 0
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Via: 1.1 vegur
                                                                                                                                                                                  Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff db 00 43 00 0a 07 07 08 07 06 0a 08 08 08 0b 0a 0a 0b 0e 18 10 0e 0d 0d 0e 1d 15 16 11 18 23 1f 25 24 22 1f 22 21 26 2b 37 2f 26 29 34 29 21 22 30 41 31 34 39 3b 3e 3e 3e 25 2e 44 49 43 3c 48 37 3d 3e 3b ff db 00 43 01 0a 0b 0b 0e 0d 0e 1c 10 10 1c 3b 28 22 28 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b 3b ff c0 00 11 08 02 bc 05 78 03 01 22 00 02 11 01 03 11 01 ff c4 00 19 00 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 01 02 03 05 04 ff c4 00 2a 10 01 01 01 01 00 02 02 01 04 01 03 05 01 00 00 00 00 11 01 02 03 12 21 31 41 04 51 61 71 42 22 32 91 13 14 81 a1 b1 52 ff c4 00 19 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 01 02 03 04 05 ff c4 00 1e 11 01 01 01 01 00 03 00 03 01 00 00 00 00 00 00 00 00 01 11 02 12 21 31 03 13 41 51 ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 f2 c5 1f 55 f1 51 1a 40 41 60 08 28 08 28 08 2c 20 20 b1 20 20 b0 80 82 c0 10 51 44 84 50 10 00 41 40 41 40 48 29 01 11 a4 04 14 04 22 80 82 80 90 50 12 0a 45 10 58 40 64 6a 00 c8 d2 02 11 40 48 28 08 28 08 00 04 00 20 00 00 04
                                                                                                                                                                                  Data Ascii: JFIFHHC#%$""!&+7/&)4)!"0A149;>>>%.DIC<H7=>;C;("(;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;x"*!1AQaqB"2R!1AQ?UQ@A`((, QDPA@A@H)"PEX@dj@H((


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  2192.168.2.4497343.126.133.169807360C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Apr 18, 2024 09:58:29.739794970 CEST581OUTGET /matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: exampledd.matomo.cloud
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:29.953696966 CEST369INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:29 GMT
                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                  Content-Length: 101
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: Apache
                                                                                                                                                                                  Vary: X-Forwarded-Port-Override,X-Forwarded-Proto-Override,Accept-Encoding,User-Agent
                                                                                                                                                                                  Content-Encoding: gzip
                                                                                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 15 ca b1 0d 80 30 0c 04 c0 55 7e 00 c4 0e 94 14 48 14 2c 60 05 8b 58 04 1b 39 46 c0 f6 84 ee 8a 1b 2a 26 0a 3b 0c 52 a1 16 10 ad 41 a5 f0 8a 97 a3 43 64 c6 e2 94 76 d1 0d c3 3c 22 91 fe ed 74 4b dc 12 e9 8a 5b 4a 01 3f 12 4d 91 ed 0a b0 bb 79 ff 01 d2 75 8f 77 5c 00 00 00
                                                                                                                                                                                  Data Ascii: 0U~H,`X9F*&;RACdv<"tK[J?Myuw\
                                                                                                                                                                                  Apr 18, 2024 09:58:30.139106035 CEST729OUTGET /matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1 HTTP/1.1
                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                  Host: exampledd.matomo.cloud
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Apr 18, 2024 09:58:30.351322889 CEST369INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Thu, 18 Apr 2024 07:58:30 GMT
                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                  Content-Length: 101
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Server: Apache
                                                                                                                                                                                  Vary: X-Forwarded-Port-Override,X-Forwarded-Proto-Override,Accept-Encoding,User-Agent
                                                                                                                                                                                  Content-Encoding: gzip
                                                                                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 15 ca b1 0d 80 30 0c 04 c0 55 7e 00 c4 0e 94 14 48 14 2c 60 05 8b 58 04 1b 39 46 c0 f6 84 ee 8a 1b 2a 26 0a 3b 0c 52 a1 16 10 ad 41 a5 f0 8a 97 a3 43 64 c6 e2 94 76 d1 0d c3 3c 22 91 fe ed 74 4b dc 12 e9 8a 5b 4a 01 3f 12 4d 91 ed 0a b0 bb 79 ff 01 d2 75 8f 77 5c 00 00 00
                                                                                                                                                                                  Data Ascii: 0U~H,`X9F*&;RACdv<"tK[J?Myuw\


                                                                                                                                                                                  Statistics

                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                  Behavior

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  System Behavior

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                  Start time:09:58:24
                                                                                                                                                                                  Start date:18/04/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:mshta.exe "C:\Users\user\Desktop\PROD_Start_DriverPack.hta"
                                                                                                                                                                                  Imagebase:0x5c0000
                                                                                                                                                                                  File size:13'312 bytes
                                                                                                                                                                                  MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                  Start time:09:58:27
                                                                                                                                                                                  Start date:18/04/2024
                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                  Imagebase:0x7ff693ab0000
                                                                                                                                                                                  File size:496'640 bytes
                                                                                                                                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  Disassembly

                                                                                                                                                                                  Reset < >

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 0C6401F6 Relevance: 5.4, Strings: 4, Instructions: 421COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2929826579.000000000C640000.00000010.00000800.00020000.00000000.sdmp, Offset: 0C640000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_c640000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (Jtj$(Jtj$(Jtj$(Jtj
                                                                                                                                                                                    • API String ID: 0-3581853736
                                                                                                                                                                                    • Opcode ID: ab362f114ff152c6ed7da512ab9ef841379d2c65fbf8f6ffe0a74591b1ac6f33
                                                                                                                                                                                    • Instruction ID: bc4d6d65af4c688445c589b5b3f127294d3e1e9afe08576f39ff71c741afb4c9
                                                                                                                                                                                    • Opcode Fuzzy Hash: ab362f114ff152c6ed7da512ab9ef841379d2c65fbf8f6ffe0a74591b1ac6f33
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2CF10670B00624DFDB30CF64C985E69B7A6FF89345F118249EA456F286DB74DC42DBA0
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0ECF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0EBF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0EB7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0EAF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0EA7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0E9F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0E97 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0E87 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0E7F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0E77 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0FD7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0FCF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0FC7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0FBF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0FAF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0FA7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0F9F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0F97 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0F7F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0F77 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0F6F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0F67 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0F5F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0F57 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0F4F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 08FF0F47 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2928125183.0000000008FF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08FF0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_8ff0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction ID: d357f1a74f533982014016880880a9a20f5a34aa5f43f085a3d32ca73aef0116
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99feea99ad72670d3449693f600e291282944572745ad6be5de66fa3e50d9b84
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 089B0FDF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000003.1696898381.00000000089B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_3_89b0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                                                                                                    • Instruction ID: 7d53a3b9fb718a34a790ecce45f5433079facd329359b15abedf520fd8bc1821
                                                                                                                                                                                    • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 089B0FD7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000003.1696898381.00000000089B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_3_89b0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                                                                                                    • Instruction ID: 7d53a3b9fb718a34a790ecce45f5433079facd329359b15abedf520fd8bc1821
                                                                                                                                                                                    • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                                    Function 089B0FE7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000003.1696898381.00000000089B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_3_89b0000_mshta.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                                                                                                    • Instruction ID: 7d53a3b9fb718a34a790ecce45f5433079facd329359b15abedf520fd8bc1821
                                                                                                                                                                                    • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                    Uniqueness

                                                                                                                                                                                    Uniqueness Score: -1.00%